Knox White Paper
The following table summarizes the advantages offered by Samsung Knox devices over non-Samsung devices, and Knox Platform for Enterprise (KPE) over Android Enterprise (AE). KPE Standard adds security claims and abilities on top of AE. KPE Premium provides even more powerful features for enterprise deployments. For more information, see the Knox Platform for Enterprise home page.
|Feature||AE on non-Samsung devices||KPE Standard on Samsung devices||KPE Premium on Samsung devices||Advantages of KPE over AE|
|All Android Enterprise Features||●||●||●||KPE incorporates AE.
|Secure Lockdown on Tampering
||◐||●||●||Upon detecting critical security compromises, the system locks down sensitive areas, preventing
unauthorized enterprise data access and leakage. Samsung prevents whole components from running when
there is evidence of device tampering.
|Remote Device Health||◐||●||●||Get visibility into which devices have security issues like unauthorized firmware, allowing you to
take action right away.
|Audit Log||◕||◕||●||Provides comprehensive device audit logs for troubleshooting and satisfying government compliance requirements.|
|Keystore Support of eSE & Other High-Security Storage||◕||◕||●||
AE will support eSE in Android P. KPE already supports eSE in addition to third-party secure storage options using vendor plugins. Through the UCM framework, app changes are not required.
Note — eSE is not available with these country-carriers: USA - Verizon, Korea - All, Japan- All, Canada - Telus.
|Real-Time Kernel Protection (RKP)||●||●||Drastically limits possible attacks on Samsung devices with best-in-class kernel attack prevention features including kernel code, kernel data, and kernel control flow protections.|
|Sensitive Data Protection (SDP)||●||●||
|●||Enables IT admins to force end-user two-factor authentication for logging in to a Work container or Managed Device. Authentication can be through biometrics (fingerprint, iris, face) or more traditional means (password, PIN, pattern).|
|●||Simplifies configuring devices into a compliant state for Common Criteria (defense) deployments.|
|App Isolation Groups
|●||Unlike classic app containers with a GUI, you can manage "invisible" app isolation groups to protect a set of apps from any other set. Up to 300 groupings are possible.|
|Secure Certificate Enrollment Agents
||●||Samsung provides a free set of certificate enrollment agents that follow the latest security protocols. There is no reason to enroll certificates insecurely, or implement your own protocols.|
|Manage Device Software Updates||◐||◐||●||Samsung E-FOTA license enables controlled rollout of firmware updates after internal testing, which
avoids compatibility problems with proprietary systems or apps and minimizes user interaction for
|Remote Control||◐||●||●||When enabled using device policy settings, this feature allows IT admins to control employee devices
remotely to troubleshoot & fix mobile devices in the field.
|Customization||◐||◕||●||Allows IT to customize various aspects of the device software and UI. In addition to what is available in AE, KPE provides additional abilities. KPE Standard offers the ability to enable and disable task manager, hardware keys, multi-window mode, and more. KPE Premium offers the ability to customize boot banner and animation, block specific system notifications, customize items appearing on power off dialog screen, map volume keys to app task switching, and more.|
|Granular Roaming Controls||◐||◕||●||IT can allow and disallow the use of roaming mobile connections that often incur high call, text,
and data rates.
|Admin Device Lock||◐||◐||●||Allows IT to lock out all use of a device, including preventing access with valid credentials. This functionality is valuable for handling end-user policy violations, including travel to hostile countries.|
|Data Sharing Policy||◐||◐||●||AE provides search-for-work-contacts in personal contacts, but KPE provides data sync of Contacts, Calendar, and Notifications. KPE also provides a unified Calendar with both personal and work events.|
|Firewall Management||●||●||Industry-exclusive ability to set device firewall rules. KPE can also notify IT when employees attempt to visit blocked domains.|
|Granular Device Policies||◐||●||Meet compliance or other deployment requirements with policies not supported on AE for SMS/MMS disclaimers, RCS/SMS/MMS logging, call restrictions, read and write restrictions on SD cards, granular Bluetooth profile restrictions, and even manage DeX deployment settings.|
|Unlock using Active
|●||No need to make employees remember separate credentials for Windows laptops and mobile devices. Device users can use their existing Active Directory credentials to unlock their devices.|
|Split Billing (Dual APNs)||●||Enables enterprises to pay only for the data usage of their approved business apps. Employees are responsible for fees for personal data usage.|
|Network Analytics||●||Allows IT to deploy network threat detection solutions without granting such tools complete access to all network traffic.|
|VPN Granularity: Per-App, Per-Container, or Whole Device||◐||◐||●||KPE provides the most granular VPN controls. You can configure KPE with a VPN tunnel not just for a container or individual apps, but also for the whole device.|
|Always On VPN||◐||◐||●||KPE has strict controls that block any traffic from bypassing a configured VPN, even in cases where the VPN client crashes or while the device is rebooting.|
|On-Demand VPN||●||You can set VPN to only activate when certain target apps are launched or running. This feature does not require VPN client support.|
|HTTP Proxy over VPN||●||Enables use of web proxies on tunneled VPN traffic.|
|VPN Chaining||●||Allows the use of two VPN tunnels to double-encrypt traffic, enhance anonymity, and prevent a single security bug in a VPN layer from compromising network encryption.|
|Near-instant VPN connection times||●||●||The Knox VPN framework allows a near-instant VPN connection, clocking in at one second. This time is measured from when the VPN handshake and authentication completes, to when the tunnel is established and traffic from any tunneled apps can pass through the VPN. This time threshold applies to all apps—assuming 100 apps enrolled in the VPN profile.|